ubuntu-post-install
Get started →
Ubuntu 22.04 · 24.04 · v2.0.0

Fresh Ubuntu.
Done right.

One script. 15 steps. Hardening, privacy, developer tooling, GNOME configuration, and optional third-party software — fully automated, fully auditable.

Quick start Full docs
bash — ubuntu-post-install.sh
$ bash ubuntu-post-install.sh --theme dark --extras devops,signal --power-profile performance
Step 1 — System update complete.
Step 2 — Firewall configured (ufw, hardened).
Step 3 — GNOME settings applied.
Step 4 — System hardened (root locked, USBGuard active).
Step 5 — Apps installed (nala, keepassxc, obsidian, mullvad…).
➡️ Step 9 — Nerd Fonts already installed. Skipping.
Step 15 — Extras: docker, gh, hashicorp, podman, signal done.
$
15
Automated steps
19
Optional extras
7
Extras groups
3
Firewall engines
CIS
Benchmark aligned
Why this script

Everything a fresh install needs.
Nothing it doesn't.

Built for people who know what they want. Every step is transparent, every default is documented, every choice is overridable.

🔒

CIS-aligned hardening

Locks root, installs USBGuard, stops and masks risky services, removes legacy packages. Three profiles: desktop, enterprise, server.

🛡️

Privacy by default

Mutes audio, kills mic, disables remote desktop, clears bash history, removes recent files tracking. Off by default, opt back in.

🦊

Firefox + arkenfox

Multiple profiles, hardened or relaxed user.js, uBlock Origin + Privacy Badger, optional extension set. All automated.

📦

19 extras, 7 groups

Docker, GitHub CLI, Signal, VSCode, Brave, ProtonVPN, Slack and more — each via its official repo. One flag, no manual repo setup.

Idempotent

Already-installed packages, repos, and fonts are skipped. Safe to re-run. Checks for conflicting apt processes before starting.

🎨

Full GNOME control

Theme, GTK variant, background color, dock size, Night Light temperature, keyboard layouts, power profile — all from the CLI.

Quick start

Up and running in one command.

Download the script, review it, run it. No installer, no package, no PPA.

# Download
curl -O https://raw.githubusercontent.com/franckferman/ubuntu-post-install/main/ubuntu-post-install.sh

# Run with defaults — dark theme, performance, all 15 steps
bash ubuntu-post-install.sh

# Developer setup
bash ubuntu-post-install.sh --extras devops,vscode,signal --apps-profile extra

# Privacy-first workstation
bash ubuntu-post-install.sh --extras privacy --firefox-profiles main --firefox-hardened-profiles main

# VPS / headless server
bash ubuntu-post-install.sh --hardening-profile server --no-lock-root --no-snap --no-mullvad --steps 1,2,4,5
Steps

15 steps. Run all or pick any.

Use --steps 1,3-7,15 to run exactly what you need. Each step is fully independent.

01

System update

Full apt upgrade, autoclean, autoremove. The obvious first step.

02

Firewall

Installs and configures your chosen engine with hardened (drop all incoming) or transparent profile.

ufwnftablesiptables--allow-ssh
03

System settings

GNOME theme, privacy controls, audio, power profile, Night Light, keyboard layouts, dock size.

--theme--power-profile--keyboard-layouts
04

System hardening

Root lock, USBGuard, risky services masked, legacy packages removed. CIS Ubuntu Benchmark aligned.

--hardening-profile--no-usbguard--skip-services
05

Basic apps

APT packages (minimal/default/extra profile), Obsidian, OnlyOffice, Mullvad VPN.

--apps-profile--no-snap--mullvad-source
06

Firefox profiles

Creates profiles, applies arkenfox user.js in hardened or relaxed mode, installs extensions.

--firefox-hardened-profiles--firefox-relaxed-profiles
07

Vim config

vim-plug + gruvbox + NERDTree + vim-airline. Or minimal (no plugin manager) or bare (zero deps).

--vim-preset full|minimal|bare
08

LazyVim

Neovim + LazyVim starter distribution — the modern Neovim setup.

--editor neovim|both|none
09

Nerd Fonts

Downloads the latest release from GitHub, installs to ~/.local/share/fonts. Required for Powerlevel10k glyphs.

10

Oh My Zsh

Unattended Oh My Zsh install. Sets Zsh as the default shell.

11

Zsh customization

Powerlevel10k theme, autosuggestions, syntax highlighting, completions.

12

Zsh plugins

Extended plugin set for a productive terminal.

13

Zsh aliases

Custom alias block written to .zshrc.

14

Powerlevel10k config

Bundled p10k preset applied with optional custom segment overrides.

--p10k-preset--p10k-segments
15

Extra software

Third-party APT repos and Snap packages. Official sources, idempotent, grouped or individual.

--extras <group|name,...>
Extras

19 tools. 7 groups. One flag.

Each extra configures the official keyring and APT source, then installs the package. Groups deduplicate automatically — mix freely.

# Groups
--extras all
--extras browsers
--extras devops,privacy

# Individuals
--extras docker,gh,signal

# Mix
--extras microsoft,signal,spotify
Options

Every default documented.
Every choice overridable.

All flags are parsed before execution. Order doesn't matter.

🔥 Firewall
--firewall
Engine: ufw, nftables, iptables (default: ufw)
--firewall-profile
hardened or transparent (default: hardened)
--allow-ssh
Open port 22 in hardened mode
🔒 Hardening
--hardening-profile
desktop / enterprise / server (default: desktop)
--no-lock-root
Skip root account lock (CIS 5.4.2)
--no-usbguard
Skip USBGuard installation
--skip-services
Comma-separated services to preserve
--skip-packages
Comma-separated packages to preserve
🎨 Display
--theme
dark / light / auto (default: dark)
--gtk-theme
Override GTK theme (Yaru, Adwaita, …)
--bg-color
Desktop background hex color
--dock-icon-size
Icon size 16–128px (default: 42)
⚡ Power
--power-profile
performance / balanced / power-saver
--allow-suspend
Keep auto suspend enabled
--no-night-light
Disable Night Light (default: on)
--night-light-temp
Color temp 1000–6500K (default: 2700)
--keyboard-layouts
xkb codes, e.g. us,fr+azerty
📦 Apps
--apps-profile
minimal / default / extra
--extra-packages
APT packages to add to profile
--skip-apt-packages
APT packages to remove from profile
--no-snap
Skip all Snap installation
--no-mullvad
Skip Mullvad VPN
--mullvad-source
apt / direct / github
🦊 Firefox
--firefox-profiles
Profile names to create (default: root)
--firefox-hardened-profiles
Pure arkenfox — max privacy
--firefox-relaxed-profiles
arkenfox + usability overrides
--firefox-extra-extensions
Install extended extension set
📝 Editor
--editor
both / vim / neovim / none
--vim-preset
full / minimal / bare
--vim-colorscheme
Built-in scheme for bare preset
🐚 Zsh
--p10k-preset
Powerlevel10k prompt preset
--p10k-segments
Apply extended segment config
--steps
Run specific steps e.g. 1,3-7,15
--no-emojis
Plain text output symbols
Examples

Common setups, ready to copy.

Developer machine

bash ubuntu-post-install.sh \
  --apps-profile extra \
  --extras devops,vscode,signal \
  --editor both \
  --power-profile performance

Privacy workstation

bash ubuntu-post-install.sh \
  --extras privacy \
  --firefox-profiles work,personal \
  --firefox-hardened-profiles work \
  --firefox-relaxed-profiles personal

Enterprise laptop

bash ubuntu-post-install.sh \
  --hardening-profile enterprise \
  --keep-avahi --keep-cups \
  --extras microsoft \
  --keyboard-layouts us,fr

VPS / headless server

bash ubuntu-post-install.sh \
  --hardening-profile server \
  --no-lock-root --no-snap \
  --no-mullvad \
  --steps 1,2,4,5

Custom look

bash ubuntu-post-install.sh \
  --bg-color '#1e1e2e' \
  --gtk-theme Yaru-purple-dark \
  --night-light-temp 3200 \
  --dock-icon-size 48

Re-run specific steps

# Hardening and apps only
bash ubuntu-post-install.sh --steps 4,5

# Install all extras
bash ubuntu-post-install.sh --extras all --steps 15

Ready to automate your setup?

One script. Auditable. No internet requirements after download (for most steps).

Download script Read the docs